Posted
by
timothyon Thursday April 11, 2013 @03:35PM
from the you-cannot-read-this-error-message dept.

Peter Eckersley writes "At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April. It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason. Further technical analysis and commentary is in our blog post."

Australian checking in. Yes, they raid our universities to find kids breaching copyright, so we have US DMCA influence. What better way to deal with crime than to make studying even more difficult to afford...

Yes agree, we seem have US influenced laws in the UK too, either as part of our highly asymmetric 'special relationship', some the recent deportations and deportation attempts, for example, or via the WTO [wealthy terrorist organisation]. We need to wake up to this and see what we can do to push back via boycott etc.

Actually, it more-or-less does, at least in where Title 1 is concerned. The DMCA itsself is just the US's implementation of requirements agreed to internationally in a 1996 WIPO treaty, in which signatories agreed to pass laws criminalising circumvention of copyright protection technology. Similar laws exist in Europe (Via national implementations of the European Union Copyright Directive), Canada, Australia, and much of the rest of the world. WIPO is a big organisation.

The notice-and-takedown provisions (Title 2) were not, AFAIK, required by any WIPO agreement and as such are not so universal outside of the US.

Every time 2 countries decide to "rationalize" their IP laws, they add their restrictions together, instead of compromising. You tend to end up with the longest term, the lowest bar, and the heaviest penalties.

I love the assumption that the whole world has a DMCA just because you do...

The DMCA was just the U.S. enactment of the WIPO Copyright Treaty [wikipedia.org], which was also enacted in Australia in 2007. So, yes, the world DOES, in fact, have a DMCA (or at least a good portion [wipo.int] of the world).

Sadly, it doesn't even need to be maliciously abused... just incompetently written and ineptly applied.

Like all laws applying to technology, the people writing them are usually incapable of understanding all of the side effects. So they get passed, and applied as written, which has the unfortunate effect of breaking lots of legitimate things.

If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.

Sadly, I'm betting someone made an effort to point this potential out to them and got ignored.

If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.

I guess a major part of the problem might be, that there is no penalty for blocking too much. If there is a penalty for blocking too little but none for blocking too much, then there is little incentive to do accurate filtering. A discussion about whether blocking would have been appropriate in this case, had it been more accurately targeted, seems pointless, since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.

Some do see it as a benefit though. How often have some country blocked the worlds largest sites on the excuse that one page on each site is offending their religion. The more coarse grained your filtering is, the easier it is to conceal what you were really aiming to censor and the easier it is to find a plausible excuse for applying the filter in the first place. A civilized country shouldn't accept censorship, and especially not when it comes with such collateral damage. I don't believe there exist a problem in this world, for which censorship is the best solution.

I guess a major part of the problem might be, that there is no penalty for blocking too much.

Did you miss that this block is on one IP address? That there are 1215 virtual hosts running at this one address? How can you block less than one IP address at a router? You'd have to do deep enough packet inspection to look at the virtual hostname header in any HTTP request, and the RCPT TO in any SMTP transaction. Should there be packet filtering at that level?

since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.

That's right, we don't know which of the 1215 domain names hosted the content that justified the block. But we can know that the fact that YOU pe

I don't know if it's just you, but to me it sounds like a reason for governments to discourage IPv6. The way it is now they don't need to reveal which of those sites they really wanted to block, which means any fabricated story will work.

does this sound like the perfect motivation for governments to encourage IPv6 adoption?

I for one never liked name based vhosts. I have started moving my own domains to IP based vhosts on IPv6. I still have one IPv4 address with name based vhosts for those users who don't have IPv6 yet. Configuring a vhost such that it was name based when accessed over IPv4 and IP based when accessed over IPv6 was slightly tricky. But I got it working.

I do like the idea of using this as an argument for deploying IPv6. Eve

If you can implement blocking which only blocks content found to be illegal by a court of law, then that is fine. But accepting any collateral damage and accepting any blocking without the content being found illegal by a court of law is just wrong. What I am saying is, stop doing filtering, and go for the root of the problem.

But we can know that the fact that YOU personally don't know what the content

As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.

That statement makes no sense to me. The only sort of attack mentioned in the story is the DoS attack performed by another network blocking legitimate packets. There is no additional blocking that the server administrator could perform to solve that. And even if the server was under some other kind of attack (such as flooding), the only hostnames pot

That's right, we don't know which of the 1215 domain names hosted the content that justified the block.

Which, really, is irrelevant. I see 1214 domains ripe for a class action lawsuit, possibly with slander/libel/restraint of trade/... mixed in. If each (or just a lot) of them ponied up $100 down payment (plus kickstarter?), that'd keep a lawyer going for a while.

Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?

On my desktop computer I got a keyboard with a USB hub. A cable between keyboard and mouse is slightly less annoying than a cable from the mouse to the computer. On my laptop I am just using a trackpad. With training I have gotten more used to trackpads, and when I am travelling with my laptop, I often use it without access to a flat surface where I can put the mouse.

I'd still like a wireless mouse with strong cryptography and key exchange while it is charging. I th

Bluetooth v2.1 security is likely more than adequate for your requirements.

The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not p

And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements

You are assuming cryptography is all about protecting the confidentiality of data. That is a common mistake to make. But in this particular case I did point out in my initial post, that authenticity is also important. In fact in most cases authenticity and integrity of the data is more important than confidentiality.

yes, there is. the ACMA maintains a (secret) black-list of domain names and IP addresses which contains "prohibited content" which is used in filtering software. Some ISPs voluntarily use that list to block access.

The ACMA's secret blacklist has leaked on at least one occasion in the past.

In Nov last year, the Australian Federal Police started sending mandatory block notices to ISPs.

I don't think the internet filter laws got passed. I thought the ISPs jumped in and said they would voluntarily use the Interpol Worst of list [interpol.int]. I think the compromise seems reasonable. If the list is abused then it can be voluntarily not used. To be on the list you need to host porn of kids that are under 13 and this needs to be verified by multiple member countries.

I'm guessing that this has been implemented as a BGP blackhole list from TFA. An easy way for the ISP to go. They will already be running bl

A site is blocked by various ISPs. Nobody knows for sure why. Some would like to pose the situation as a government conspiracy, or at least an example of why new regulations requiring ISPs to block certain sites is bad.

No one really knows what's going on, least of all the author. There's lots of hand waving and half hearted finger pointing.

If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere. I can only see three classes of organisation that could have the power to issue a block order:1. Government.2. Whatever organisation supplies Australian ISPs with the list of child porn sites to block. Wouldn't be the first time - remember when all major ISPs in the UK filtered Wikipedia, because our national blocklist provider decided an album cover was child porn?3. A copyri

Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.

I know that the summary and the article both mention that the latter is a possibility, but the headline, summary, and article, are all written as if the most likely possibility was that MFU was targeted directly.

I suspect that the ISP got a request from somebody about one of the hosted sites doing something very naughty, and the person who's job it was to pay attention to such requests didn't get them or ignored them, so an IP block was the next step.

1,200 websites on one IP address? Looking at the list, I see things that are obviously gambling websites. The IP is held by a US-based hosting company (DimeNOC). I understand that yes, this is suspicious, but with 1,199 other potential causes for black holing an IP address, I'm not convinced that MFU caused government to impost a black hole request on an arbitrary (and, if summary is to be believed, incomplete) set of ISPs.

Well, there you go then; they didn't do their homework or were so desperate to save a buck or two they didn't care about their ISP's reputation. If you chose a cheap hosting deal on an ISP with a reputation for hosting spam, botnet controllers and other such sites while exercising an exceeding lax attitude to abuse reports, you can expect to have the odd issue like this. You get what you pay for applies to ISPs too - big surprise!

FWIW, DimeNOC is null routed here too, has been for sometime, and is unlikely to be unblocked anytime soon. No conspiracy required; the only traffic we ever saw coming from their IP space was spam, malicious or both, so dropping it at the border was a no brainer.

Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.

Dont forget that if it's like most community colleges the IP address was probably blacklisted due to DDOS attacks originating from infected campus computers.

I know I had to deal with DDOS attacks from computer labs at my university. My

Hi. Stephen Conroy here. Labor party member. You morons need to know that when we, the government, block sites, its for your own good. Sure, we don't tell you about it, and we've probably blocked things like a dentists website, but really, what about the children?

It looks like HTTP 2.0 will require a unique IP address for each domain name.

I hope this will be true. I dislike all the workarounds applied to stretch the supply of IPv4 addresses, and I dislike name based vhosts. I'd like to see HTTP 2.0 make both of those go away, and replace it with proper IPv6 setups.

I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so?

There are technical reasons why you might want to share an IPv6 address between multiple websites. But those technical reasons can be addressed.

If we assume a webserver is hosting 1200 domains, what would happen if it was assigned a different IPv6 address for each of those domains? The answer depend on which technical solution you choose in order to do that.

^this. We made the decision this week to simply blanket block most cloud providers IP address ranges from accessing any of our hosted sites due to the constant scans, attacks and crawling of our sites from services people run up in their clouds.We are positive this will block some legimate traffic and sites, but really we think that is the lesser of two evils at this stage. These cloud providers are turning into festering rats nests of scammers, phishing sites, sites hosting malware and botnets etc etc. If

I'm using Exetel which is a small ISP that relies on some of the much larger ISPs for infrastructure. My particular plan routes data via Optus, whereas the Exetel example given by the EEF blog post is by someone using a plan routed via AAPT. I can access the website without issue. iiNet at work is also fine.

I suspect this is not a request by the government to ISPs to block a particular site, mainly because I've read that Optus was happy to voluntarily block content - and they're not doing it. Not yet, at le